HA Pair
ACTIVE/PASSIVE *One device actively manages traffic until a path, link, system, or network failure occurs. *Both share the same configuration settings. When the active fails, the passive takes over seemlessly and enforces the same policies to maintain security. *Supported in Virtual Wire, Layer 2, and Layer 3 deployments. ACTIVE/ACTIVE *Both devices in the pair are active and processing traffic. *Only recommneded for networks with asymmetric routing. *Supported in Virtual Wire and Layer 3 deployments Total Failover time = Failure Detection +''' HA Failover '''+ Router Reconvergence 'HA links:' *HA1 communicates with the CONTROL PLANE and is used to synchronize the configuration between the device **this interface requires an IP address that is difference from the management interface address. *HA2 interacts with the DATA PLANE and is used to synchronize active sessions. *Dedicated interfaces for HA1 and HA2 exist on PA-3000, PA-4000, and PA-5000. All other devices will require data interfaces to be configured for HA use. Links do not have to be directly connected. The following configuration settings are NOT automatically propagated across the HA links: *Management information *Administrator Accounts *HA Configuration 'General' (tab):' Device -> High Availability -> General *Setup *Active/Passive Settings *Election Settings *Control Link (HA1) *Control Link (HA1 Backup) 'Passive Link State configuration General tab -> Active/Passive Settings SHUTDOWN: *The default is "Shutdown". In this state, upstream and downstream devices connected to the passive device will not see a valid path until the passive firewall becomes active. AUTO: *IF set to "Auto", it facilitates fast failover times and forces the link status of the neighboring devices to be in a 'link up' state. **HA devices i nthe passive state will not forward traffic or respond to ARP requests. **Allows you to bring up the passive device's traffic forwarding links to reduce the failover time. It does this by bringing the interfaces on the firewall to a "link up" state, but blocks inbound and outbound traffic to the interfaces until the passive unit becomes active. **This helps reduce failover times by eliminating the need to go through port learning and negotiation phases right after a failover to the passive. Reduces failover time by 1-2 seconds. 'HA Timer Configuration' General tab -> Election Settings Promotion Hold time: *amount of time the passive or active-secondary device waits when the active device is declared to be down before switching to the active state. *Value of 0 will trigger an immediate switchover when a failure is detected. **It's best to configure a short amount of time between the failure of the active unit and when the passive takes over. This allows the surrounding devices to stabilize the new transition and state changes. *''Recommended'': 500ms. This will provide a fast failover time of approximately 1.5 seconds. Hello Interval: *Hello packets are used to inform the other peer of the HA state information and are sent over the HA1 connection (control plane). *This timer specifies how often a hello message is sent out to the peer. set between 8,000ms - 60,000ms. *Missing 3 hello messages will trigger a failover. It's pretty rare. *''Recommended:' leave the default 8000ms. This is a relatively safe settings as the Heartbeat interval setting is usually set for a more aggressive HA1 communication failure detection rate. '''Heartbeat Interval: *Heartbeat monitoring uses ICMP pings to ensure that the HA1 connection (control plane) between the high availability members is operational. *Missing 3 consecutive heartbeat messages constitutes a failure condition and triggers a failover event. *A valid setting is between 1000-60,000ms. Default of 1,000 on PA-3000+; 2,000ms on PA-2000 and below. *''Recommended:'' 1000 ms. This provides a faster failover time. 1000ms x 3 heartbeats = 3000ms Maximum number of Flaps: *The number of times the firewall can go from an up state to a down state and back to an up state agian (a flap) within 15 mins. *Default is 3 flaps within a 15 min period. Can be from 0-16. *The firewall should not be experiencing flaps. If you see abnormal number of flaps, check your link and path monitoring timers to make sure they are not set too aggressively for the network conditions. **Aggressive timers in high latency networks or networks with frequent link flapping can cause HA failover false positives. *''Recommended:'' leave the default of 3, unless abnormal conditions in the network cause the firewalls to flap. Preemption Hold time: *Ensures that the higher priority firewall coming back up from a suspended or non-functional state is kept in a non-active state to allow the surrounding network devices enough time to converge. *If the firewall comes back up before the neighboring devices are ready, a black hole situtation can occur as the firewall starts to forward traffic before the other devices are ready. *''Recommended:'' Leave the default time of 1 minute. Monitor Fail Hold up Time and HA Path monitor Tuning: *used to determine how long the firewall will remain active following a link or path monitor failure. *''Recommended:'' Leave default of 0 Additional Master hold up time: *only applicable to the active device or active-primary device. *Used to prevent a failover on the master device when both devices detect a link or path failure at the same time. *This time is added to the Monitor Fail Hold Up Time for the active device. *''Recommonded: Leave default of 500ms. 'Link and Path Monitoring''' (tab): Device -> High Availability -> Link and Path Monitoring (tab) 'HA-Pair OS Upgrade' https://live.paloaltonetworks.com/docs/DOC-4043 1. Suspend the local device (ex: Secondary): Device -> High Availability -> Operational Commands (tab) 2. Upgrade the OS on the suspended device and reboot the unit. ''' Device -> Software '''3. Once it's back up, run the command "Show jobs all" to make sure the commit is complete. 4. suspend the other device (ex: Active). This will fail over to the secondary 5. Upgrade the OS on the device and reboot.